RE: Securing Application and System logs on WinNT/2K

From: tony.gordon@hewitt.com
Date: 02/14/02 

From: tony.gordon@hewitt.com
To: Martin Brys <MBrys@mvsinc.com>
Date: Wed, 13 Feb 2002 17:42:52 -0600

If you can live with the restrictions it creates in you environment follow this

RestrictAnonymous Registry Value
Use Registry Editor to view the following registry key, and then add the
following value to this key, or modify it if the value already exists:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
Value: RestrictAnonymous
Value Type: REG_DWORD
Value Data: 0x2 (Hex)

When the RestrictAnonymous registry value is set to 2, the access token built
for non-authenticated users does not include the Everyone group, and because of
this, the access token no longer has access to those resources which grant
permissions to the Everyone group. This could cause undesired behavior because
many Windows 2000 services, as well as third-party programs, rely on anonymous
access capabilities to perform legitimate tasks.

For example, when an administrator in a trusting domain wants to grant local
access to a user in a trusted domain, there may be a need to enumerate the users
in the trusted domain. Because the administrator in the trusting domain cannot
be authenticated by the trusted domain, an anonymous enumeration may be used.
The benefits of restricting the capabilities of anonymous users from a security
perspective should be weighed against the corresponding requirements of services
and programs that rely on anonymous access for complete functionality.

The following tasks are restricted when the RestrictAnonymous registry value is
set to 2 on a Windows 2000-based domain controller:
Down-level member workstations or servers are not able to set up a netlogon
secure channel.

Down-level domain controllers in trusting domains are not be able to set up a
netlogon secure channel.

Microsoft Windows NT users are not able to change their passwords after they
expire. Also, Macintosh users are not able to change their passwords at all.

The Browser service is not able to retrieve domain lists or server lists from
backup browsers, master browsers or domain master browsers that are running on
computers with the RestrictAnonymous registry value set to 2. Because of this,
any program that relies on the Browser service does not function properly.

Because of these results, it is not recommended that you set the
RestrictAnonymous registry value to 2 in mixed-mode environments that include
down-level clients. Setting the RestrictAnonymous registry value to 2 should
only be considered in Windows 2000 environments only, and after sufficient
quality assurance tests have verified that appropriate service levels and
program functionality is maintained.

It will prevent "null" sessions from being established and threfore will prevent
remote connections from accessing your eventlogs.

Value can also be set to 1. Though hacks around it are available.
Thank you, Tony.

Tony Gordon (tony.gordon@hewitt.com)
Information Systems
Hewitt Associates LLC
100 Half Day Rd., Lincolnshire, IL 60069
Fax: (847) 295-8877

|--------+------------------------------->
| | Martin Brys |
| | <MBrys@mvsinc.com> |
| | |
| | 02/12/2002 01:08 PM |
| | |
|--------+------------------------------->
>----------------------------------------------------------------------------|
  | |
  | To: "McCammon, Keith" <Keith.McCammon@eadvancemed.com> |
  | focus-ms@securityfocus.com |
  | cc: |
  | Subject: RE: Securing Application and System logs on WinNT/2K |
  | |
>----------------------------------------------------------------------------|

Yes, I tried changing the registry permission for
HKLM\System\CurrentControlSet\Services\Eventlog\ keys and it does not work.
After the modification of each key permissoins, you still can view the log
from the remote machine when first connected with the Event Viewer
(interesting fact, subsequent refresh commands will cause events to
disappear thou).
Any other ideas?

Martin

-----Original Message-----
From: McCammon, Keith [mailto:Keith.McCammon@eadvancemed.com]
Sent: Tuesday, February 12, 2002 1:37 PM
To: Martin Brys; focus-ms@securityfocus.com
Subject: RE: Securing Application and System logs on WinNT/2K

Change permissions on HKLM\System\CurrentControlSet\Services\Eventlog\*
as needed.

-----Original Message-----
From: Martin Brys [mailto:MBrys@mvsinc.com]
Sent: Tuesday, February 12, 2002 12:18 PM
To: focus-ms@securityfocus.com
Subject: Securing Application and System logs on WinNT/2K
Importance: High

Does anyone know a method to secure Application and System Event Logs to
allow viewing only to Administrators? Restrictive permissions are set by
default for Security Event Log, can we achieve the same or similar
behavior
for other logs (hopefully including Directory Services, DNS and File
Replication Service on Domain Controllers)? Any hints would be
appreciated.

Martin Brys MCSE